Re: Wheezy update of ikiwiki?

To: Markus Koschany <apo@debian.org>
Cc: Josh Triplett <josh@freedesktop.org>, debian-lts@lists.debian.org
Subject: Re: Wheezy update of ikiwiki?
From: Simon McVittie <smcv@debian.org>
Date: Sun, 8 May 2016 22:58:11 +0100
Message-id: <[🔎] 20160508215811.GA32577@perpetual.pseudorandom.co.uk>
In-reply-to: <[🔎] 20160507223412.GE3551@perpetual.pseudorandom.co.uk>
References: <[🔎] 20160507185216.GA15826@localhost> <[🔎] 20160507203833.GA3551@perpetual.pseudorandom.co.uk> <[🔎] 572E5FE4.1090302@debian.org> <[🔎] 20160507223412.GE3551@perpetual.pseudorandom.co.uk>

On Sat, 07 May 2016 at 23:34:12 +0100, Simon McVittie wrote:
> On Sat, 07 May 2016 at 23:36:36 +0200, Markus Koschany wrote:
> > CVE-2016-4561 would be rather easy to fix in Wheezy but if you think the
> > ImageMagick mitigation is even more important, it is certainly possible
> > to fix that too.
> 
> Yes, I do think that. The security team have given me permission to
> upload both changes to jessie-security, so that's in the pipeline now.
> 
> I'll look into preparing a matching wheezy update tomorrow.

Please review and/or test:
<https://git.pseudorandom.co.uk/smcv/ikiwiki.git/shortlog/refs/heads/debian-wheezy-proposed>
<https://people.debian.org/~smcv/ikiwiki_3.20120629.2+deb7u1/>
(unsigned temporary package for testing, will be signed when ready)

Note that I haven't done any real-world testing on this version, because
I haven't run wheezy since around the time jessie was released, and my
production ikiwiki instances use the latest upstream release from
jessie-backports. t/img.t passes in autopkgtest and an SVG [[!img]]
in the documentation still works, though.

The ImageMagick mitigation involved some re-indentation, so the easiest
version to review is probably ignore-space-change.patch, which is the
result of git diff --ignore-space-change.

Some notes about the debdiff to pre-empt questions that people will
probably have:

* Some diffs appear twice. This is because debdiff dereferences
  symbolic links and compares the content: NEWS and ChangeLog are symlinks
  to equivalents in debian/.

* .gitignore and .gitattributes are in the debdiff because
  old git-buildpackage excluded them, and new git-buildpackage
  doesn't. They should have no practical effect either way, and I don't
  intend to waste time redoing the package to exclude them.

* I backported the entire img plugin because the mitigation
  doesn't merge cleanly onto a 4 year old version, and in my opinion,
  either resolving the conflicts or arbitrarily reverting individual bug
  fixes would have a higher risk of regressions than taking the whole
  thing.  It is now identical to what's in jessie-security, and almost
  identical to what's in sid (an extra commit making img_allowed_formats
  case-insensitive was accidentally left out of 3.20160506 and will be
  in the next release to sid).

* The autopkgtest suite only includes img.t and not the complete
  test suite from sid, because turning the build-time tests into
  as-installed tests post-jessie involved a significant diffstat.

Regards,
    S

Reply to:

Follow-Ups:
- Re: Wheezy update of ikiwiki?
  - From: Markus Koschany <apo@debian.org>

References:
- Wheezy update of ikiwiki?
  - From: Markus Koschany <apo@debian.org>
- Re: Wheezy update of ikiwiki?
  - From: Simon McVittie <smcv@debian.org>
- Re: Wheezy update of ikiwiki?
  - From: Markus Koschany <apo@debian.org>
- Re: Wheezy update of ikiwiki?
  - From: Simon McVittie <smcv@debian.org>

Prev by Date: icu package and debdiff [new contributor, first attempt]
Next by Date: Re: libidn test packages [resent]
Previous by thread: Re: Wheezy update of ikiwiki?
Next by thread: Re: Wheezy update of ikiwiki?
Index(es):
- Date
- Thread